Automattic\WooCommerce\Api\Infrastructure

GraphQLControllerBase::is_introspection_allowedprivateWC 1.0

Check whether GraphQL introspection is allowed for this request.

The principal opts in via a can_introspect(): bool method; principals that don't declare it are denied by default. The decision is then passed through the woocommerce_graphql_can_introspect filter so sites can grant or revoke access without subclassing the principal — useful for per-request rules (specific IPs, headers, query parameters, etc.).

Fail-closed contract: the principal must be non-null (principal-resolution failures deny outright, before the filter is consulted), the principal method's return value is treated with === true, and any throw from either the principal method or the filter callback denies. The filter must likewise return strictly true to allow; any other value denies.

Method of the class: GraphQLControllerBase{}

Hooks from the method

Returns

null. Nothing (null).

Usage

// private - for code of main (parent) class only
$result = $this->is_introspection_allowed( ?object $principal, $request ): bool;
?object $principal(required)
.
$request(WP_REST_Request) (required)
The REST request.

GraphQLControllerBase::is_introspection_allowed() code WC 10.9.1

private function is_introspection_allowed( ?object $principal, \WP_REST_Request $request ): bool {
	if ( is_null( $principal ) ) {
		return false;
	}

	try {
		$can_introspect = method_exists( $principal, 'can_introspect' )
			&& true === $principal->can_introspect();

		/**
		 * Filters whether the current principal may run GraphQL introspection.
		 *
		 * The filter receives the principal-derived decision (false when the
		 * principal doesn't declare `can_introspect()` or its `can_introspect()`
		 * doesn't return strictly `true`) and must return strictly `true` to
		 * grant access; any other return value denies. The filter is not
		 * invoked when principal resolution failed (i.e. when the controller
		 * passes a null principal) — that case denies outright.
		 *
		 * @since 10.9.0
		 *
		 * @internal
		 *
		 * @param bool             $can_introspect Whether the principal can introspect, derived from `$principal->can_introspect()`.
		 * @param object           $principal      The resolved principal.
		 * @param \WP_REST_Request $request        The REST request being processed.
		 */
		$can_introspect = apply_filters( 'woocommerce_graphql_can_introspect', $can_introspect, $principal, $request );
	} catch ( \Throwable $e ) {
		return false;
	}

	return true === $can_introspect;
}